topic Re: Matching Dynamic IP in General Topics

Matching Dynamic IP

Bhattman — Thu, 19 Apr 2018 23:14:53 GMT

I hope the brilliant minds here can answer my question

I have a situation where I need to change NAT to translate in a specific way, I am looking at how the PA's behavior specific to how it selects IP address in a NAT pool based on the mask.

Here is the setup

Company A uses a public IP within their DMZ for sake of example Class A (4.0.0.0/8) address space. Now they connected that DMZ into the internet, they are going to have an issue because of conflict on the internet. However, Company A needs time to change the IP address, but still access the internet.

Possible Solution

So let's say the temporary solution would be to create an internet resolver that can spoof IP addresses once it see's any address within 4.0.0.0/8. So, for example, let's say a host in the DMZ does a lookup for internet website called "companyb.example.com" it resolves to the following A record of 4.199.12.12. The DNS receives the response and translates it to 11.199.12.12 and sends that response back to the host. Effectively the DNS is simply flipping the 1st octet to 11 and retains the remaining 3 octets. Then Host then makes a request to 11.199.12.12 and since 11.0.0.0/8 resolves to the internet the request heads to a PA firewall. Now, the million dollar question is . Can you configure the NAT on the PA where it can flip the first octet 11 to 4 and retain the last 3 octets? Thus following the example the destination IP of 11.199.12.12 translates back to 4.199.12.12.?

If so can the behavior be consistent with /16 or /12, etc

-=CB=-

NOTE: I understand that there will be a desire to say there is a limitation of the # of IP connections in a table for PA. I am interested in how it selects the IP in a given NAT pool if it's set where the original packet in a /8 will match up to the destination NAT IP pool

Re: Matching Dynamic IP

santonic — Fri, 20 Apr 2018 11:34:22 GMT

Theoretically it could maybe work with DNAT for all 11.0.0.0/8 to 4.0.0.0/8

But how will you access servers in 11.0.0.0/8 then? You would make those all inaccesible 🙂

Re: Matching Dynamic IP

santonic — Fri, 20 Apr 2018 11:36:34 GMT

Best solution would be proxy (which is not in 4.0.0.0/8), that would solve http, https, ftp... issues

Re: Matching Dynamic IP

Remo — Sat, 21 Apr 2018 13:01:34 GMT

Hi @Bhattman

Does company A really have assigned a /8 subnetmask to the servers or is it a little more segmented? And if yes are the networks directly connected to the firewall or is there a router between the dmz networks snd the firewall?

Re: Matching Dynamic IP

Bhattman — Fri, 27 Apr 2018 16:36:11 GMT

The assumption is that the host in the DMZ leverage DNS 100% to be directed to what is required to be access.

Re: Matching Dynamic IP

Bhattman — Fri, 27 Apr 2018 16:43:07 GMT

You have to assume that they are using DNS for the most part and those that need to go without they would re-IP. Which certainly is or managable then RE-IPing the entire environment under an aggressive timeplan.

Re: Matching Dynamic IP

Bhattman — Fri, 27 Apr 2018 16:44:00 GMT

That would be a good option, but in this case they have applications that don't understand how to leverage a proxy.

Re: Matching Dynamic IP

Harshit — Fri, 27 Apr 2018 20:30:50 GMT

So how big of a DMZ space is it, it maybe a /8 mask but how many actual servers are in that space.

I am assuming large enough not to make static entries ?

Regards,

~Harry

Re: Matching Dynamic IP

Bhattman — Sat, 28 Apr 2018 00:41:21 GMT

Yes it's too big to create 1-to-1 static NATs. What I am looking for trying to answer the behavior of the PA on how it assigns IP addresses when you configure the palo Alto to NAT from /8 range to another /8 range.

Will it randomly choose within the /8?

Will it choose a middle of the road IP?

Will it choose the last IP of that range?

Or will it try to match it up the original destination packet?

Re: Matching Dynamic IP

Remo — Sun, 29 Apr 2018 09:41:21 GMT

I have never configured it with a /8 subnet, but at least with a /24 subnet NAT will match the last octet. So I would assume if it even works with a /8 subnet, the firewall will try to match the original packet.

Re: Matching Dynamic IP

Bhattman — Sun, 29 Apr 2018 14:09:13 GMT

That is certainly promising.